Security

Link: http://www.reuters.com/article/idUSTRE60654M20100107

As is so often the case in security the weakest link in the chain is the human one.  In the story linked to above, a security guy walks away from his post and a "bad guy" takes advantage of the opportunity to breach the security.  In this case we're lucky it only kicked off a huge hassle and required an airport to be temporarily shut down.  It could have been far worse if the unmonitored checkpoint had been breached by somebody intending something far more nefarious than a goodbye kiss.

What's especially distressing about this is that it came hot on the heels of the Christmas Underwear Bomber who tried to blow up a flight to Detroit.  If ever there was a time that airport security folks should have been keenly focused it would be in the days immediately following such a near miss.

When the White House threw a party for the Indian Prime Minister two people (at least) walked right thru White House Security which, I think we can agree is usually pretty tight, and spent the evening partying with some of the top people in our government.  Once again, it was the carbon-based security tool (the humans) that let us down.

So what does this mean for you?

The human factor is alive and well in our firms too. Do you have a receptionist?  They are your first line of security against intruders during the day.  Do they greet each and every person who gets off the elevator or comes thru the door?  Does your staff know to be observant for unescorted strangers in the office?

And that's just physical security.  Do they know not to give their passwords out on the phone or via e-mail?  Have they been educated about not clicking on unexpected attachments and keeping their antimalware software up-to-date?

What's Your Action Item?

I like to make this information actionable so here you go...

• Have a friend that isn't known to your staff try to walk into your office and see how long it takes for somebody to ask them who they are and what they're doing there.  Try having them carry a clipboard.
• Have a friend (same friend?) call a random staff member or three, pretending to be the IT department and needing to "verify" or "reset" their password.  See if the staffer will give them the password.
• Walk around the office during business hours and see how many of your doors to the outside are actually unlocked from them outside.
• Walk around the office AFTER business hours and see how many doors, inside and outside, are unlocked and how many computers were left turned on and locked in.
• Educate your staff about security for their HOME computers.  Antimalware software, personal firewalls, making smart decisions about opening attachments, surfing to websites, encrypting mobile storage devices, etc.

Knowledge is power and events of recent months should have driven home the fact that it doesn't matter how good our security products are, if our security processes (and the PEOPLE who support/apply/enforce them) are neglected.

Link: http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html

There's a serious security issue in the wild today that is affecting Adobe versions 8 and 9, at least, and possibly earlier versions too.  The issue arises when an attacker sends the victim a malicious PDF file.  A what?!  "How can a PDF file be malicious?" you ask.  Well, recent versions of Acrobat support Javascript within PDF files.  "Why on earth would I want that?!" you're probably wondering.

I'm wondering too.

The solution is to disable it, and I think ALL of you should go and do that right this moment.  To disable it just open Adobe (Acrobat or Reader) then go to Edit | Preferences (or press CTRL+K) | Javascript and the very first option on the page lets you disable Adobe Javascript.  Just uncheck that box and OK your way back out.

Problem solved.

By the way, if you have BOTH Acrobat and Reader installed you'll want to change this setting in both of them.

You can find more information about this in the link above, or in this article.

UPDATE: There are active exploits for this in the wild.  A patch from Adobe is forthcoming but as of this writing not yet available.  More information from Network World here:

You can reach Ben M. Schorr at bens@rolandschorr.com or by phone at 808-782-6306.

Link: http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10616074

A report out of New Zealand reports that a computer worm has crippled the Waikato District Health Board and while the hospitals are apparently still operating for emergency treatment they are asking other folks not to come in if they don't have to.  Clearly the health system is operating at a dramatically diminished capacity.

The thing about this that is so infuriating is that the worm that has wreaked this havoc is apparently....Conficker.

Conficker?  Really?  This is like missing work because you've got Small Pox.  Microsoft has had a patch out to prevent Conficker since October of 2008.

Folks, it's bad enough to have to shut down your systems to fight a worm or virus.  Don't add insult to injury by letting something old and preventable like Conficker land you on the front page of the Journal.  Start right here:   http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.

Then make sure you have Automatic Updates turned on in Windows.  It's free.  If you're an organization with a server and a bunch of PCs consider installing Windows Software Update Services (WSUS) to help manage your updates.  It's free too.

Then make sure you're using a quality anti-malware product.  We recommend ESET's NOD32, or Trend AntiVirus.  For home users Microsoft's Security Essentials is free and easy and there's NO EXCUSE not to have it.

Once you've got that anti-malware software installed you need to make sure that it stays updated.  You can't just install it once and forget about it.  It should be configured to update automatically, but check occasionally to make sure that it IS.  If you have a commercial product (i.e. one you had to pay for) make sure you keep the subscription up to date.  If you let it expire you may stop getting updates and then your protection is compromised.

This isn't rocket science folks.  Basic due diligence.  If it really was Conficker that brought down their network then an argument could be made that their IT folks failed to meet the standard of care.  All they had to do was install an update that has been readily available, for free, for more than a year.  There are even free systems available that would have installed that patch for them.  Getting nailed by Conficker in this day and age is embarassing and inexcusable in my opinion.

More information about Conficker:

• McAfee: http://www.mcafee.com/us/threat_center/conficker.html
• Microsoft: http://www.microsoft.com/security/worms/Conficker.aspx
• Conficker Working Group: http://www.confickerworkinggroup.org/wiki/

You can reach Ben M. Schorr at bens@rolandschorr.com or by phone at 808-782-6306.

Link: http://abcnews.go.com/Blotter/massive-tsa-security-breach-agency-secrets/story?id=9280503&page=1

Tell me again how big organizations with lots of resources are so much better at security than small firms?  The Transportation SECURITY Administration (they even have the word "security" in their name) has apparently exposed some sensitive documents to the Internet.

If an organization whose entire purpose of being is safety and security can make a mistake and expose an important document don't you suppose that maybe it could happen to a relatively small provider who is hosting your documents?

Software as a Service (SaaS) may have a role in your firm, but don't accept the argument that just because they've got a lot of resources, or because they claim that security is important to them, that your data is automatically safe.  Even the TSA and the Secret Service occasionally drop the ball on security.  Yes, so does Google.

Why am I telling you this?  Because I'm stunned at the level of complacency I see on the subject from folks who are charged with the confidences of their clients.  The vendors too often brush off the question of security by saying "Hey, we're bigger than you, we MUST be secure!" and too often I see folks just nod like that was an acceptable answer.

Security is a process.  Even the biggest companies, or maybe the Federal Government, can have security lapse if their processes are inadequate or not properly followed.

You can reach Ben M. Schorr at bens@rolandschorr.com or by phone at 808-782-6306.

It never ceases to amaze me when I hear this story (sanitized to protect identies)

Client's notebook PC and removable hard drive were stolen on Friday (smash and grab from client's car in mall parking lot).

Hard drive was un-encrypted and contained 10+ years of personal and business financial data records, including copies of personal and business federal and state income tax returns (with SSNs), check registers, Quickbook files for business, contracts, contract proposals, vendor lists, customer lists, etc., etc. Basically anything you could need to steal the identites of client and several family members has been compromised.

Reported theft with local police - they give virtually no chance of recovery. Any ideas what client should do next?

Step one, folks, pretty much every laptop made has a BIOS password you can set that renders the machine unbootable unless that password is entered.  That's something you can do right this very moment, for free, to give your machine SOME security.  Just reboot your laptop, when the prompt comes up to enter the SETUP (it's probably accessed by pressing DELETE or F12 or something similar very early in the boot process), enter the setup and look for the Security settings.  There is almost certainly a "user password" or "Startup password" or something similar that you can enable.

Select a good password.  "123" is not a good password.

If your machine happens to support drive encryption in hardware then PLEASE ENABLE IT!  But many devices don't encrypt the drive, they just lock the boot process.

So for those machines does locking the boot process mean the job is done?

Not quite.  That prevents the machine from booting without a password, but a professional will remove the hard drive from the machine and mount it as a slave drive in another machine, bypassing the need to boot from it.  You still need drive encryption.

If you're running Windows 7 then hopefully you got the Ultimate version that includes Bitlocker.  If so, turn it on. How?  Go to My Computer or Windows Explorer, right-click the drive you want to protect (your C: drive most likely) and select "Turn on Bitlocker".

Scary thought: More than 12,000 laptops are estimated to be lost or stolen in the U.S. EVERY WEEK.

If you don't have Windows 7 or you don't have a version of Windows 7 that includes Bitlocker, or if your PC hardware doesn't support Bitlocker then you need TrueCrypt.  It's free, it's easy to implement and it can save you a LOT of heartaches if your portable device goes missing.  You can find it here: http://www.truecrypt.org/

UPDATE: I've written an article on how to encrypt a laptop using TrueCrypt. You can read it here.

Bitlocker and Truecrypt CAN be used on removable and external hard drives, including USB devices, too.

Soon we'll talk about encrypting and locking your smartphones too...

-B-